Malware-stricken home appliances aren’t that much of a science fiction these days. Two ethical hackers took the floor at the Def Con 24 security event last week to demonstrate a proof-of-concept involving a compromise of a smart device.
Andrew Tierney and Ken Munro with Pen Test Partners, a UK based penetration testing and security services firm, were able to install a piece of ransomware on a smart thermostat by unnamed manufacturer. This has allowed the white hat attackers to set arbitrary temperature in one’s hypothetical home, 99 degrees for instance, and display an alert on the gadget’s screen demanding a ransom of 1 Bitcoin, which is currently worth $591. Effectively, the audience of Def Con’s IoT Village witnessed an assault that can put individuals at risk through impairing direct physical damage. The offending code is capable of literally making the infected end users freeze or swelter unless they cough up a pretty penny. Fortunately, this is simply a PoC done by enthusiasts with good intentions, but they proved that a predicament like that is beyond pure theory.
The researchers started with harnessing the openly available FCC ID Search resource in order to obtain the device’s chipset details and photos. This way, they determined that the targeted thermostat runs Linux, has a Wi-Fi module and uses an SD card. The purpose of the SD card slot is to allow users to customize the device by setting screensavers and configuring temperature schedules. To set up a custom profile, the consumer is supposed to use an Adobe Air app on a computer. It turned out, this software is the weak link in this whole chain, because it enables a threat actor to access the firmware.
By getting root on this firmware, which isn’t much of a hurdle with the right tech skills, it’s possible to pull off command injection and thus run random commands on the equipment. To add insult to injury, there is no proper code verification in place, so any input is ‘welcome’. In this particular case, all it takes to perform the compromise is insert a booby-trapped SD card into the thermostat’s memory card slot. Once the bad code is executed, it forces the device to crank up the heat or get it down and displays a warning notification on the screen, saying “You suck! Pay 1 Bitcoin to get control back.” Having paid up, the user gets a PIN that changes with an interval of 30 seconds, so it’s barely feasible to guess it otherwise.
Although this proof-of-concept reflects a local attack that requires physical access to the device to insert the SD card with malicious code on it, it can be deployed remotely as well. How about selling pre-infected memory cards via ecommerce sites? Another contamination vector is to upload wallpapers with an obfuscated malign component on to web pages where customers will then download these unsafe images. All in all, whereas the growth of the Internet of Things certainly poses numerous benefits to users, the manufacturers of smart devices should take security more seriously and implement efficient input validation to eliminate real-world risks.